Spammers attacking Microsoft's CAPTCHA -- again

Spammers attacking Microsoft's CAPTCHA -- again

Summary: Never let a human do a malware infected host's CAPTCHA recognition job.

TOPICS: Microsoft, Security

Microsoft CAPTCHA brokenNever let a human do a malware infected host's CAPTCHA recognition job. On their way to abuse the DomainKeys verified server reputation in order increase the probability of their spam emails reaching the receipts, spammers and malware authors are once again attempting to break Microsoft's "revisited" CAPTCHA, and are able to sign up Live Hotmail accounts with a success rate of 10% to 15%, according to an assessment published by Websense today :

"Spammers are once again targeting Microsoft's Hotmail (Live Hotmail) services. We have discovered that spammers, in a recent aggressive move, have managed to create automated bots that can sign up for and create random Hotmail accounts, defeating Microsoft's latest, revised CAPTCHA system. The accounts are then used to send mass-mailings.

Early this year (2008), as reported by Websense Security Labs, spammers worldwide basis demonstrated their adaptability by defeating a range of anti-spam services offered by security vendors by carrying out the streamlined anti-CAPTCHA operations on Microsoft's Live Mail, Google's Gmail, Microsoft's Live Hotmail, Google's Blogger, and Yahoo Mail."

10% to 15% recognition rate or "one in every 8 to 10 attempts to sign up for a Live Hotmail account is successful" as stated by Websense, is a bit of a modest success rate given that the academic community has managed to achieve 92% recognition rate in the past. But with hundreds of thousands of malware infected hosts, it appears that they are willing to allocate resources despite the modest success rate, and are actively spamming through the newly registered bogus email accounts.

Is machine learning CAPTCHA breaking the tactic of choice, or is the recently uncovered CAPTCHA solving economy the outsourcing model cost-effective enough to undermine the machine learning approach? With low-waged humans achieving a 100% recognition rate and processing "bogus account registration" orders, it may in fact be more cost-effective for a cybercriminal to outsource the process, than allocating personal resources and achieving a lower success rate. One thing's for sure - CAPTCHA based authentication has been persistently under attack from all fronts, during the entire 2008.

Topics: Microsoft, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm all for shutting down...

    mail servers that are spamming. No matter how big they are. If my server started spamming, my ISP would give me one shot to clean it up. If I didn't or couldn't it would be blocked. Just because it's Microsoft doesn't mean they should have special treatment.

    Networks this size are unmanageable.
    • RE: Spammers attacking Microsoft's CAPTCHA -- again

      You're very welcome :) <a href="">rolex watches</a>
  • RE: Spammers attacking Microsoft's CAPTCHA -- again

    The real problem is that there is essentially no law enforcement effort going into capturing and imprisoning the crooks who are responsible for this, due to the stupidity and ignorance of legislators.

    Spam is organized crime, and needs to be treated as such.

    Every "doomsday" prediction about the damage that spam would do if left unchecked has not only come true, but been greatly exceeded.

    A few years ago, folks like me were mocked and scorned for suggesting that half of all email would soon be spam.

    Today we're looking at numbers more like 95% spam, and the lame CAN-SPAM act which was already a joke when enacted is now simply irrelevant.
  • RE: Spammers attacking Microsoft's CAPTCHA -- again

    Shutting dwon the servers is clearly not the answer. The spammers will just find other servers. SEVERE Criminal Prosecution is our only hope. Find, arrest and Prosecute the spammers will send a message to the other spammers that they risk YEARS in the Penitentiary. I am talking at least 5-10 years without parole & No Access to Computers, period. Also HUGE fines. This is Criminal activity & needs to be treated as such.
  • 100% Success Rate for Humans?

    You've got to be kidding. I only get the CAPTCHA right 65% of the time.
    • Me too!

      Half the time, I can't read those symbols. I have to ask for a new set...
      Curtis R. Shupe
    • 65%?

      I can't even get that rate. And when I try to use the audio Captcha instead, irts even worse.
    • LOL!

      Glad to see I'm not alone in being unable to interpret those images sometimes. Figures the intended users would struggle and the spammers would have better success...
  • RE: Spammers attacking Microsoft's CAPTCHA -- again

    Is this a problem only with FREE email accounts? If so, the ISPs could charge a dollar on a valid credit or debit card (and even refund the amount later if they wanted to). Allowing that not everybody has a credit or debit card, is this a possible solution to the problem itself?
    • RE: Valid Credit Card

      That really is the problem. It's amazing the number of people who have neither. Plus, it's not a very global solution. They have customers (and domains) for half the TLD's out there.
  • Shutdown the advertised site?

    Shouldn't the authorities be more proactive about going after the sites that are advertised in SPAM mails. That way the spammers would have their funding cut off.

    I regularly receive 4 or 5 SPAMs a day advertising an online Canadian pharmacy, selling Viagra and other cheap drugs. If the online site was shutdown or blocked by ISPs, it would be more of a deterrent to them sending out SPAM themselves, or out sourcing to mass spammers.
    • I agree 100%

      The only way to stop spam and adware is to go after the advertiser, they are the root cause of it all. Ok, 3/4 of the cause the other 1/4 is the idiots that actually purchased something from spam.
    • You're trying to be funny?

      Because you kind of failed.

      That was a stupid as saying "if somebody puts up a
      bunch of fliers about a company, said company should
      be shut down by the authorities!".

      P.S. PLEASE don't tell me you're actually serious and
      that I actually need to explain what the problem with
      this is...
      • No dumbass

        If it can be proved that the company is linked to the spam, I see no reason why authorities couldn't shut the site down.

        Obviously anyone could send out SPAM advertising a rival?s website, so you wouldn't shut them down without evidence. But in the case of online pharmacies, it?s fairly obvious they are spamming, or getting people to spam on their behalf. The canadian pharmacy in my example above have several different domains regsitered pointing to their site which have nothing to do with medicine, or drugs, so its obvious they are taking part in spamming, as they registered the different urls to get around url blacklists.
      • Yes, Absolutely

        Spammers do everything free - flyers pay dearly for printing the flyers and the labor to distribute them.

        Charge $10 for each new mail account, then give rebates x per address (for the legitimate users) and see whether the spammers will put up any money.
    • Oh - is that a valid site?

      I thought that it was just a way of collecting credit card information...
    • same here

      I also receive some messages with subjects pharmacy, viagra etc. Fortunately Windows live hotmail filters it and my inbox will always be spam-free, though the spam folder won't be :P
  • RE: Spammers attacking Microsoft's CAPTCHA -- again

    shoot the spammers
  • RE: Spammers attacking Microsoft's CAPTCHA -- again

    I would agree with cgarrett, Some CAPTCHAs are so obscure as to be almost unreadable, even for us humans! How do the bad guys get through this?
    • They don't - that is why the reported success rate

      is 15%
      Humans are usually given a second chance or third chance as well.

      The programming loop is unlikely to go

      "Try ten times or until successful"
      So, the bot moves on.